HPE Community
Operating System - HP-UX
1834598 Members
4142 Online
110069 Solutions
New Discussion

Re: root su to other user need password

 
SOLVED
Go to solution
Yu Zhen_1
Occasional Contributor

‎07-24-2002 12:49 AM

‎07-24-2002 12:49 AM

root su to other user need password

I am trying to setup a system with followin security policy: when root try to "su" to other user, it still need the password of that particular user's password.
Can it be realized based on HPUX?
0 Kudos
Reply
7 REPLIES 7
Michael Tully
Honored Contributor

‎07-24-2002 01:04 AM

‎07-24-2002 01:04 AM

Solution

Re: root su to other user need password

In a simple answer no. Once you are 'root' you can 'su' to any account without a password. I'm not sure why you would want to do this anyway. You will have no idea really on who is doing it anyway. Your best bet is to have 'usera' 'su' to 'userb' so that it is at the very least logged.
If your trying to create a security policy and therefore a secure environment, this is not what you want to do.

Invest some time also in looking at 'sudo' as well.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/
Anyone for a Mutiny ?
Reply
Stefan Farrelly
Honored Contributor

‎07-24-2002 01:06 AM

‎07-24-2002 01:06 AM

Re: root su to other user need password


Not with standard HP-UX. You need something like sudo which replaces the su binary with a different one which you can control. I think it has the option to enforce password checks for all su attempts.
Im from Palmerston North, New Zealand, but somehow ended up in London...
Reply
doug hosking
Esteemed Contributor

‎07-25-2002 02:15 AM

‎07-25-2002 02:15 AM

Re: root su to other user need password

This was debated by the owners of the HP-UX
su code a few years ago. Their conclusion:
It really makes no sense to
require a password in this case, since
a superuser can just edit or replace
/etc/passwd with one that has no password
for any user, create a shell that is setuid
to that user, change the uid field in
/etc/passwd for any given user to match the
desired user, or any of a long list of other
ways to become that user without a password.
So requiring a password within su in this
case accomplishes nothing more than annoying
the sysadmin, even though it may APPEAR to
improve security.
0 Kudos
Reply
Antonio Farre
New Member

‎07-25-2002 02:23 AM

‎07-25-2002 02:23 AM

Re: root su to other user need password

If you are root and you enter

su oneuser -c "su - otheruser"

you will be prompted for de passwd of otheruser

If you move de command su out of de root path and include in a script called su, de line

/realpath/to/su oneuser -c "/real/path/to/su $@"

when you run as root the script (in the root path)

su otheruser
su - otheruser

It's just an idea. I haven't tried it

If I'm wrong just tell me

Tony
Tony
0 Kudos
Reply
Fragon
Trusted Contributor

‎07-25-2002 03:07 AM

‎07-25-2002 03:07 AM

Re: root su to other user need password

I think you must use another software just like su to achieve this task.
In HP-UX root is the system's owner, it can do everyting! It's a little case to switch to a normal user.

Gelard
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

‎07-25-2002 03:28 AM

‎07-25-2002 03:28 AM

Re: root su to other user need password

hi,

The answer is NO.
==============================

SYNOPSIS
su [-] [username[arguments]]

username is the name of a user defined in the /etc/passwd file. The default name is root(that is, superuser).

To use su, the appropriate password must be supplied unless the current user is superuser. If a valid password is entered, su executes a new shell with the real and effective user ID, real and effective group ID, and group access list set to that of the specified user. The new shell is the one specified in the shell field of the new user's entry in the password file, /etc/passwd.

The arguments are passed along to the new shell for execution, permitting the user to run shell procedures with the new user's privileges.

When exiting from the new shell, the previous username and environment are restored.


==============================
'root' can 'su' to any account without a password.

Is it a good idea to mingle with the "root" user?

Root is the SUPERUSER with all rights. period.

In your case, i would protect the root password.

Best Regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Antonio Farre
New Member

‎07-25-2002 05:58 AM

‎07-25-2002 05:58 AM

Re: root su to other user need password

I understand, based in the original questions that, who mannage de root password is "in" root with all permissions and privileges.
Then, if root want to be prompted for a password when switch to another user for any
reason he obtain what he wants
making root run su as another user.
Doing this he will be prompted
for a passwd.
You are right when you say that is not convinient and we must not do that.
When exiting "otheruser" shell
root will return to root.
I don't do that.
I say that is possible using de syntax of "su".

Sorry

Ton
Tony
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.